bug#31072: 27.0.50; Assertion failure in defvar

bug#31072: 27.0.50; Assertion failure in defvar

[Philipp]

Loading the following file triggers an assertion failure:

;;; -*- lexical-binding: t; -*-
(defvar 1)

$ emacs -Q -batch -l /tmp/crash.el 
eval.c:772: Emacs fatal error: assertion failed: SYMBOLP (sym)
Fatal error 6: Abort trapAbort trap: 6

This is because Fdefvar lacks a CHECK_SYMBOL in the second branch
(lexical binding but only one argument).

Backtrace:

(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGABRT
  * frame #0: 0x00007fff6b22ce3e libsystem_kernel.dylib`__pthread_kill + 10
    frame #1: 0x00007fff6b36b150 libsystem_pthread.dylib`pthread_kill + 333
    frame #2: 0x00007fff6b13b8fe libsystem_c.dylib`raise + 26
    frame #3: 0x00000001001b73ca emacs`terminate_due_to_signal(sig=6, backtrace_limit=40) at emacs.c:395
    frame #4: 0x00000001001f98e3 emacs`emacs_abort at sysdep.c:2426
    frame #5: 0x0000000100453ef8 emacs`ns_term_shutdown(sig=6) at nsterm.m:5478
    frame #6: 0x00000001001b7710 emacs`shut_down_emacs(sig=6, stuff=(i = 0x0000000000000000)) at emacs.c:2132
    frame #7: 0x00000001001b7366 emacs`terminate_due_to_signal(sig=6, backtrace_limit=2147483647) at emacs.c:378
    frame #8: 0x0000000100288bab emacs`die(msg="SYMBOLP (sym)", file="eval.c", line=772) at alloc.c:7434
    frame #9: 0x00000001002f1f1d emacs`Fdefvar(args=(i = 0x0000000106051a63)) at eval.c:772
    frame #10: 0x00000001002ea9aa emacs`eval_sub(form=(i = 0x0000000106051a93)) at eval.c:2238
    frame #11: 0x000000010037d75f emacs`readevalloop_eager_expand_eval(val=(i = 0x0000000106051a93), macroexpand=(i = 0x00000000056c5668)) at lread.c:1884
    frame #12: 0x0000000100375115 emacs`readevalloop(readcharfun=(i = 0x0000000101004ba5), infile0=0x0000000000000000, sourcename=(i = 0x00000001010066b4), printflag=false, unibyte=(i = 0x0000000000000000), readfun=(i = 0x0000000000000000), start=(i = 0x0000000000000000), end=(i = 0x0000000000000000)) at lread.c:2070
    frame #13: 0x000000010037588a emacs`Feval_buffer(buffer=(i = 0x0000000101004ba5), printflag=(i = 0x0000000000000000), filename=(i = 0x00000001010048d4), unibyte=(i = 0x0000000000000000), do_allow_print=(i = 0x000000000000b8e0)) at lread.c:2137
    frame #14: 0x000000010030a6f3 emacs`funcall_subr(subr=0x000000010093c920, numargs=5, args=0x00007ffeefbf7fb0) at eval.c:2908
    frame #15: 0x0000000100308cab emacs`Ffuncall(nargs=6, args=0x00007ffeefbf7fa8) at eval.c:2821
    frame #16: 0x00000001003b2e4d emacs`exec_byte_code(bytestr=(i = 0x000000010055da5c), vector=(i = 0x000000010055da7d), maxdepth=(i = 0x000000000000001a), args_template=(i = 0x0000000000000000), nargs=0, args=0x0000000000000000) at bytecode.c:632
    frame #17: 0x000000010030b2df emacs`funcall_lambda(fun=(i = 0x000000010055d9dd), nargs=4, arg_vector=0x00007ffeefbf9478) at eval.c:3100
    frame #18: 0x0000000100308cfb emacs`Ffuncall(nargs=5, args=0x00007ffeefbf9470) at eval.c:2823
    frame #19: 0x0000000100309e89 emacs`call4(fn=(i = 0x0000000005eb6528), arg1=(i = 0x00000001010048d4), arg2=(i = 0x00000001010048d4), arg3=(i = 0x0000000000000000), arg4=(i = 0x000000000000b8e0)) at eval.c:2697
    frame #20: 0x00000001003717df emacs`Fload(file=(i = 0x0000000101229954), noerror=(i = 0x0000000000000000), nomessage=(i = 0x000000000000b8e0), nosuffix=(i = 0x0000000000000000), must_suffix=(i = 0x0000000000000000)) at lread.c:1366
    frame #21: 0x000000010030a6f3 emacs`funcall_subr(subr=0x000000010093c8f0, numargs=3, args=0x00007ffeefbf9d68) at eval.c:2908
    frame #22: 0x0000000100308cab emacs`Ffuncall(nargs=4, args=0x00007ffeefbf9d60) at eval.c:2821
    frame #23: 0x00000001003b2e4d emacs`exec_byte_code(bytestr=(i = 0x000000010063cf1c), vector=(i = 0x000000010063cf3d), maxdepth=(i = 0x000000000000005e), args_template=(i = 0x0000000000000406), nargs=1, args=0x00007ffeefbfb5f8) at bytecode.c:632
    frame #24: 0x000000010030ac7c emacs`funcall_lambda(fun=(i = 0x000000010063ceed), nargs=1, arg_vector=0x00007ffeefbfb5f0) at eval.c:3022
    frame #25: 0x0000000100308cfb emacs`Ffuncall(nargs=2, args=0x00007ffeefbfb5e8) at eval.c:2823
    frame #26: 0x00000001003b2e4d emacs`exec_byte_code(bytestr=(i = 0x0000000100637834), vector=(i = 0x0000000100637855), maxdepth=(i = 0x0000000000000032), args_template=(i = 0x0000000000000002), nargs=0, args=0x00007ffeefbfd048) at bytecode.c:632
    frame #27: 0x000000010030ac7c emacs`funcall_lambda(fun=(i = 0x0000000100637805), nargs=0, arg_vector=0x00007ffeefbfd048) at eval.c:3022
    frame #28: 0x0000000100308cfb emacs`Ffuncall(nargs=1, args=0x00007ffeefbfd040) at eval.c:2823
    frame #29: 0x00000001003b2e4d emacs`exec_byte_code(bytestr=(i = 0x00000001006367e4), vector=(i = 0x0000000100636805), maxdepth=(i = 0x0000000000000032), args_template=(i = 0x0000000000000002), nargs=0, args=0x00007ffeefbfe4e0) at bytecode.c:632
    frame #30: 0x000000010030ac7c emacs`funcall_lambda(fun=(i = 0x00000001006367b5), nargs=0, arg_vector=0x00007ffeefbfe4e0) at eval.c:3022
    frame #31: 0x00000001002fee63 emacs`apply_lambda(fun=(i = 0x00000001006367b5), args=(i = 0x0000000000000000), count=4) at eval.c:2958
    frame #32: 0x00000001002efb2c emacs`eval_sub(form=(i = 0x00000001020738d3)) at eval.c:2331
    frame #33: 0x00000001002faae7 emacs`Feval(form=(i = 0x00000001020738d3), lexical=(i = 0x0000000000000000)) at eval.c:2106
    frame #34: 0x00000001001d9b8a emacs`top_level_2 at keyboard.c:1120
    frame #35: 0x00000001002f8f4f emacs`internal_condition_case(bfun=(emacs`top_level_2 at keyboard.c:1119), handlers=(i = 0x0000000000004a10), hfun=(emacs`cmd_error at keyboard.c:939)) at eval.c:1332
    frame #36: 0x00000001001d9831 emacs`top_level_1(ignore=(i = 0x0000000000000000)) at keyboard.c:1128
    frame #37: 0x00000001002f8158 emacs`internal_catch(tag=(i = 0x000000000000bf10), func=(emacs`top_level_1 at keyboard.c:1125), arg=(i = 0x0000000000000000)) at eval.c:1097
    frame #38: 0x00000001001bba91 emacs`command_loop at keyboard.c:1089
    frame #39: 0x00000001001bb8d4 emacs`recursive_edit_1 at keyboard.c:696
    frame #40: 0x00000001001bbd01 emacs`Frecursive_edit at keyboard.c:767
    frame #41: 0x00000001001b9379 emacs`main(argc=5, argv=0x00007ffeefbff7a0) at emacs.c:1724
    frame #42: 0x00007fff6b0dd115 libdyld.dylib`start + 1


Found by american fuzzy lop.


In GNU Emacs 27.0.50 (build 60, x86_64-apple-darwin17.4.0, NS appkit-1561.20 Version 10.13.3 (Build 17D102))
 of 2018-04-06 built on p
Repository revision: 3deaac1bd9569fd57185e9e6256cc8419323ba78
Windowing system distributor 'Apple', version 10.3.1561
System Description:  Mac OS X 10.13.3

Recent messages:
For information about GNU Emacs and the GNU system, type C-h C-a.

Configured using:
 'configure --with-modules --without-pop --with-mailutils
 --enable-gcc-warnings=yes --enable-checking
 --enable-check-lisp-object-type 'CFLAGS=-ggdb3 -O0''

Configured features:
NOTIFY ACL GNUTLS LIBXML2 ZLIB TOOLKIT_SCROLL_BARS NS MODULES THREADS
JSON

Important settings:
  value of $LANG: de_DE.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Lisp Interaction

Minor modes in effect:
  tooltip-mode: t
  global-eldoc-mode: t
  eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  transient-mark-mode: t

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug message rmc puny seq byte-opt gv
bytecomp byte-compile cconv dired dired-loaddefs format-spec rfc822 mml
easymenu mml-sec password-cache epa derived epg epg-config gnus-util
rmail rmail-loaddefs mm-decode mm-bodies mm-encode mail-parse rfc2231
mailabbrev gmm-utils mailheader cl-loaddefs cl-lib sendmail rfc2047
rfc2045 ietf-drums mm-util mail-prsvr mail-utils time-date elec-pair
tooltip eldoc electric uniquify ediff-hook vc-hooks lisp-float-type
mwheel term/ns-win ns-win ucs-normalize mule-util term/common-win
tool-bar dnd fontset image regexp-opt fringe tabulated-list replace
newcomment text-mode elisp-mode lisp-mode prog-mode register page
menu-bar rfn-eshadow isearch timer select scroll-bar mouse jit-lock
font-lock syntax facemenu font-core term/tty-colors frame cl-generic
cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao
korean japanese eucjp-ms cp51932 hebrew greek romanian slovak czech
european ethiopic indian cyrillic chinese composite charscript charprop
case-table epa-hook jka-cmpr-hook help simple abbrev obarray minibuffer
cl-preloaded nadvice loaddefs button faces cus-face macroexp files
text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget hashtable-print-readable backquote kqueue cocoa ns
multi-tty make-network-process emacs)

Memory information:
((conses 16 204514 6370)
 (symbols 48 19989 1)
 (miscs 40 56 173)
 (strings 32 28825 1989)
 (string-bytes 1 771796)
 (vectors 16 35273)
 (vector-slots 8 721624 13558)
 (floats 8 51 65)
 (intervals 56 210 0)
 (buffers 992 11))

bug#31072: 27.0.50; Assertion failure in defvar

[Philipp Stephani]

[-- Attachment #1.1: Type: text/plain, Size: 464 bytes --]

Philipp <p.stephani2@gmail.com> schrieb am Fr., 6. Apr. 2018 um 03:25 Uhr:

>
> Loading the following file triggers an assertion failure:
>
> ;;; -*- lexical-binding: t; -*-
> (defvar 1)
>
> $ emacs -Q -batch -l /tmp/crash.el
> eval.c:772: Emacs fatal error: assertion failed: SYMBOLP (sym)
> Fatal error 6: Abort trapAbort trap: 6
>
> This is because Fdefvar lacks a CHECK_SYMBOL in the second branch
> (lexical binding but only one argument)
>

Here is a patch.

[-- Attachment #1.2: Type: text/html, Size: 776 bytes --]

[-- Attachment #2: 0001-Avoid-undefined-behavior-in-defvar-Bug-31072.txt --]
[-- Type: text/plain, Size: 1278 bytes --]

From e4e301c8228e6d29cec6b44d86da47a0db8f3e0c Mon Sep 17 00:00:00 2001
From: Philipp Stephani <phst@google.com>
Date: Fri, 6 Apr 2018 17:55:59 +0200
Subject: [PATCH] Avoid undefined behavior in 'defvar' (Bug#31072)

* src/eval.c (Fdefvar): Check that first argument is a symbol.
* test/src/eval-tests.el (defvar/bug31072): New unit test.
---
 src/eval.c             | 2 ++
 test/src/eval-tests.el | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/src/eval.c b/src/eval.c
index a6e1d86c4a..90d8c33518 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -737,6 +737,8 @@ usage: (defvar SYMBOL &optional INITVALUE DOCSTRING)  */)
   sym = XCAR (args);
   tail = XCDR (args);
 
+  CHECK_SYMBOL (sym);
+
   if (!NILP (tail))
     {
       if (!NILP (XCDR (tail)) && !NILP (XCDR (XCDR (tail))))
diff --git a/test/src/eval-tests.el b/test/src/eval-tests.el
index 59da6b7cc3..319dd91c86 100644
--- a/test/src/eval-tests.el
+++ b/test/src/eval-tests.el
@@ -113,4 +113,8 @@ eval-tests--exceed-specbind-limit
         (signal-hook-function #'ignore))
     (should-error (eval-tests--exceed-specbind-limit))))
 
+(ert-deftest defvar/bug31072 ()
+  "Check that Bug#31072 is fixed."
+  (should-error (eval '(defvar 1) t) :type 'wrong-type-argument))
+
 ;;; eval-tests.el ends here
-- 
2.17.0

bug#31072: 27.0.50; Assertion failure in defvar

[Paul Eggert]

Please install that patch into 'master' and reply to 31072-done@debbugs.gnu.org 
to mark this bug as done. And thanks.

bug#31072: 27.0.50; Assertion failure in defvar

[Paul Eggert]

I installed that patch into master. Thanks again. Closing the bug.